[refpolicy] policy & patch for bitlbee

[refpolicy] policy & patch for bitlbee

[Devin Carraway]

[-- Attachment #1.1: Type: text/plain, Size: 621 bytes --]

Here's a policy module for BitlBee, a service which acts as a gateway for IRC
clients to various IM networks.

The patch adds three new ports to the corenetwork list, for the AIM, Yahoo
Messenger and MSN Messenger ports.  I drew the port names from the IANA
"registered por numbers' list at http://www.iana.org/assignments/port-numbers .

It's my first attempt at writing a policy module clean enough for publication;
feedback/criticism would be welcome.

Devin

-- 
Devin  \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com
Carraway \ 1024D/E9ABFCD2: 13E7 199E DD1E 65F0 8905 2E43 5395 CA0D E9AB FCD2

[-- Attachment #1.2: bitlbee.te --]
[-- Type: text/plain, Size: 2855 bytes --]

policy_module(bitlbee, 1.0.0)

# $Id: bitlbee.te 673 2007-08-11 21:03:48Z aqua $
# 
# (Draft) SELinux policy for the bitlbee IM gateway server, using refpolicy
# 
# Devin Carraway <devin@debian.org>


########################################
#
# Declarations
#

type bitlbee_t;
type bitlbee_exec_t;

# bitlbee is usually run from inetd, but also can be run standalone
init_daemon_domain(bitlbee_t, bitlbee_exec_t)

type bitlbee_conf_t;
files_config_file(bitlbee_conf_t)

type bitlbee_share_t;
files_type(bitlbee_share_t)

type bitlbee_var_t;
files_type(bitlbee_var_t)

########################################
#
# Local policy
#
#

# normally started from inetd using tcpwrappers, so use those entry points
domain_auto_trans(tcpd_t, bitlbee_exec_t, bitlbee_t)
inetd_tcp_service_domain(bitlbee_t, bitlbee_exec_t);

# allow library loading
libs_legacy_use_shared_libs(bitlbee_t)
libs_use_ld_so(bitlbee_t)

# it needs read-only access to its systemwide configuration in /etc/bitlbee
files_read_etc_files(bitlbee_t)
allow bitlbee_t bitlbee_conf_t:dir r_dir_perms;
allow bitlbee_t bitlbee_conf_t:file r_file_perms;

# grant read-only access to the user help files
allow bitlbee_t usr_t:dir { search };
allow bitlbee_t bitlbee_share_t:dir r_dir_perms;
allow bitlbee_t bitlbee_share_t:file r_file_perms;

# user account information is read and edited at runtime; give the usual
# r/w access to bitlbee_var_t
files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file)
allow bitlbee_t bitlbee_var_t:dir rw_dir_perms;
allow bitlbee_t bitlbee_var_t:file manage_file_perms;

# read-only access to /var/run
files_search_pids(bitlbee_t)

# bitlbee's own network sockets (UDP, TCP and unix domain sockets)
allow bitlbee_t self:udp_socket { create_socket_perms };
allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
allow bitlbee_t self:unix_stream_socket { create_stream_socket_perms };
corenet_udp_sendrecv_generic_if(bitlbee_t)
corenet_udp_sendrecv_generic_node(bitlbee_t)
corenet_udp_sendrecv_lo_node(bitlbee_t)
corenet_tcp_sendrecv_generic_if(bitlbee_t)
corenet_tcp_sendrecv_generic_node(bitlbee_t)
corenet_tcp_sendrecv_lo_node(bitlbee_t)
corenet_all_recvfrom_unlabeled(bitlbee_t)

# Permit DNS requests
corenet_udp_sendrecv_dns_port(bitlbee_t)

# Allow bitlbee to connect to jabber servers
corenet_tcp_connect_jabber_client_port(bitlbee_t)
corenet_tcp_sendrecv_jabber_client_port(bitlbee_t)

# to AIM servers:
corenet_tcp_connect_aol_port(bitlbee_t)
corenet_tcp_sendrecv_aol_port(bitlbee_t)

# and to MMCC (Yahoo IM) servers:
corenet_tcp_connect_mmcc_port(bitlbee_t)
corenet_tcp_sendrecv_mmcc_port(bitlbee_t)

# and to MSNP (MSN Messenger) servers:
corenet_tcp_connect_msnp_port(bitlbee_t)
corenet_tcp_sendrecv_msnp_port(bitlbee_t)


[-- Attachment #1.3: bitlbee.fc --]
[-- Type: text/plain, Size: 286 bytes --]

/usr/sbin/bitlbee	--	gen_context(system_u:object_r:bitlbee_exec_t,s0)
/etc/bitlbee(/.*)?		gen_context(system_u:object_r:bitlbee_conf_t,s0)
/var/lib/bitlbee(/.*)?		gen_context(system_u:object_r:bitlbee_var_t,s0)
/usr/share/bitlbee(/.*)?	gen_context(system_u:object_r:bitlbee_share_t,s0)

[-- Attachment #1.4: bitlbee.if --]
[-- Type: text/plain, Size: 38 bytes --]

## <summary>Bitlbee service</summary>

[-- Attachment #1.5: bitlbee-network-ports.patch --]
[-- Type: text/x-diff, Size: 1030 bytes --]

Index: policy/modules/kernel/corenetwork.te.in
===================================================================
--- policy/modules/kernel/corenetwork.te.in	(revision 2388)
+++ policy/modules/kernel/corenetwork.te.in	(working copy)
@@ -67,6 +67,7 @@
 network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
 network_port(amavisd_recv, tcp,10024,s0)
 network_port(amavisd_send, tcp,10025,s0)
+network_port(aol, tcp,5190,s0, udp,5190,s0)
 network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
 network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
 network_port(auth, tcp,113,s0)
@@ -112,6 +113,8 @@
 type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
 network_port(lmtp, tcp,24,s0, udp,24,s0)
 network_port(mail, tcp,2000,s0)
+network_port(mmcc, tcp,5050,s0, udp,5050,s0)
+network_port(msnp, tcp,1863,s0, udp,1863,s0)
 network_port(monopd, tcp,1234,s0)
 network_port(mysqld, tcp,3306,s0)
 network_port(nessus, tcp,1241,s0)

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [refpolicy] policy & patch for bitlbee

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Devin Carraway wrote:
> Here's a policy module for BitlBee, a service which acts as a gateway for IRC
> clients to various IM networks.
> 
> The patch adds three new ports to the corenetwork list, for the AIM, Yahoo
> Messenger and MSN Messenger ports.  I drew the port names from the IANA
> "registered por numbers' list at http://www.iana.org/assignments/port-numbers .
> 
> It's my first attempt at writing a policy module clean enough for publication;
> feedback/criticism would be welcome.
> 
> Devin
> 
> 
Sorry I am way behind on selinux list.

First comment, if you have files directories that the confined domain
does not need to write, and the data within is not secret,  IE You dont
want other domains to be able to read it.  DO NOT create a type.  Just
leave the files the default type, and use the interface to allow you
domain to read it.

So I would remove


type bitlbee_conf_t;
files_config_file(bitlbee_conf_t)

type bitlbee_share_t;
files_type(bitlbee_share_t)

And just allow bitlbee to read etc_t and usr_t.

Everything else looks ok.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFG0AUQrlYvE4MpobMRAm8xAKDjeSySjEY+64bmgNBkEwQ/H9SE+wCggt4A
zUWWi8GzT4O0o2t7tgg1Cwc=
=eQ+k
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [refpolicy] policy & patch for bitlbee

[Devin Carraway]

[-- Attachment #1: Type: text/plain, Size: 1299 bytes --]

On Sat, Aug 25, 2007 at 06:31:44AM -0400, Daniel J Walsh wrote:
> First comment, if you have files directories that the confined domain
> does not need to write, and the data within is not secret,  IE You dont
> want other domains to be able to read it.  DO NOT create a type.  Just
> leave the files the default type, and use the interface to allow you
> domain to read it.

Hmm, okay.  bitlbee_share_t I put in not because /usr/share/bitlbee contains
anything sensitive (just one helpfile, at the moment), but because it has no
need to read any files of type usr_t, so by making a type for it I could avoid
granting anything on usr_t:file (usr_t:dir has r/o perms implied by
libs_legacy_use_shared_libs()).  Should I go ahead and let it read usr_t:file
for sake of avoiding the extra type, trading off a somewhat broader scope of
access for the domain?

> type bitlbee_conf_t;
> files_config_file(bitlbee_conf_t)

There's a single sensitive piece of data here, namely an (optional) password
to connect to the bitlbee server -- roughly analogous in policy terms to an
Apache htpasswd/htdigest file.

Thanks for the feedback!


-- 
Devin  \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com
Carraway \ 1024D/E9ABFCD2: 13E7 199E DD1E 65F0 8905 2E43 5395 CA0D E9AB FCD2

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [refpolicy] policy & patch for bitlbee

[Devin Carraway]

[-- Attachment #1.1: Type: text/plain, Size: 642 bytes --]

On Sat, Aug 25, 2007 at 06:31:44AM -0400, Daniel J Walsh wrote:
> So I would remove
[...]
> type bitlbee_share_t;
> files_type(bitlbee_share_t)

After talking a bit about this on #selinux, I went ahead with your suggestion
to remove bitlbee_share_t, and allow a usr_t read.  I kept bitlbee_conf_t,
since it can have an authentication secret in it.

Here's an updated version.  It adds (and uses) an interface
bitlbee_read_config() to permit reading bitlbee_conf_t.

Thanks again.

-- 
Devin  \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com
Carraway \ 1024D/E9ABFCD2: 13E7 199E DD1E 65F0 8905 2E43 5395 CA0D E9AB FCD2

[-- Attachment #1.2: bitlbee.te --]
[-- Type: text/plain, Size: 2714 bytes --]

policy_module(bitlbee, 1.0.0)

# $Id: bitlbee.te 673 2007-08-11 21:03:48Z aqua $
# 
# (Draft) SELinux policy for the bitlbee IM gateway server, using refpolicy
# 
# Devin Carraway <devin@debian.org>

gen_require(`
	type tcpd_t;
')

########################################
#
# Declarations
#

type bitlbee_t;
type bitlbee_exec_t;

# bitlbee is usually run from inetd, but also can be run standalone
init_daemon_domain(bitlbee_t, bitlbee_exec_t)

type bitlbee_conf_t;
files_config_file(bitlbee_conf_t)

type bitlbee_share_t;
files_type(bitlbee_share_t)

type bitlbee_var_t;
files_type(bitlbee_var_t)

########################################
#
# Local policy
#
#

# normally started from inetd using tcpwrappers, so use those entry points
domain_auto_trans(tcpd_t, bitlbee_exec_t, bitlbee_t)
inetd_tcp_service_domain(bitlbee_t, bitlbee_exec_t);

# allow library loading
libs_legacy_use_shared_libs(bitlbee_t)
libs_use_ld_so(bitlbee_t)

# it needs read-only access to etc_t and to its own systemwide configuration
files_read_etc_files(bitlbee_t)
bitlbee_read_config(bitlbee_t)

# grant read-only access to the user help files
files_read_usr_files(bitlbee_t)

# user account information is read and edited at runtime; give the usual
# r/w access to bitlbee_var_t
files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file)
allow bitlbee_t bitlbee_var_t:dir rw_dir_perms;
allow bitlbee_t bitlbee_var_t:file manage_file_perms;

# read-only access to /var/run
files_search_pids(bitlbee_t)

# bitlbee's own network sockets (UDP, TCP and unix domain sockets)
allow bitlbee_t self:udp_socket { create_socket_perms };
allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
allow bitlbee_t self:unix_stream_socket { create_stream_socket_perms };
corenet_udp_sendrecv_generic_if(bitlbee_t)
corenet_udp_sendrecv_generic_node(bitlbee_t)
corenet_udp_sendrecv_lo_node(bitlbee_t)
corenet_tcp_sendrecv_generic_if(bitlbee_t)
corenet_tcp_sendrecv_generic_node(bitlbee_t)
corenet_tcp_sendrecv_lo_node(bitlbee_t)
corenet_all_recvfrom_unlabeled(bitlbee_t)

# Permit DNS requests
corenet_udp_sendrecv_dns_port(bitlbee_t)

# Allow bitlbee to connect to jabber servers
corenet_tcp_connect_jabber_client_port(bitlbee_t)
corenet_tcp_sendrecv_jabber_client_port(bitlbee_t)

# to AIM servers:
corenet_tcp_connect_aol_port(bitlbee_t)
corenet_tcp_sendrecv_aol_port(bitlbee_t)

# and to MMCC (Yahoo IM) servers:
corenet_tcp_connect_mmcc_port(bitlbee_t)
corenet_tcp_sendrecv_mmcc_port(bitlbee_t)

# and to MSNP (MSN Messenger) servers:
corenet_tcp_connect_msnp_port(bitlbee_t)
corenet_tcp_sendrecv_msnp_port(bitlbee_t)


[-- Attachment #1.3: bitlbee.if --]
[-- Type: text/plain, Size: 461 bytes --]

## <summary>Bitlbee service</summary>

########################################
## <summary>
##     Read bitlbee configuration files
## </summary>
## <param name="domain">
##     <summary>
##         Domain allowed accesss.
##     </summary>
## </param>
#
interface(`bitlbee_read_config',`
	gen_require(`
		type bitlbee_conf_t;
	')

	files_search_etc($1)
	allow $1 bitlbee_conf_t:dir { getattr read search };
	allow $1 bitlbee_conf_t:file { read getattr };
')


[-- Attachment #1.4: bitlbee.fc --]
[-- Type: text/plain, Size: 211 bytes --]

/usr/sbin/bitlbee	--	gen_context(system_u:object_r:bitlbee_exec_t,s0)
/etc/bitlbee(/.*)?		gen_context(system_u:object_r:bitlbee_conf_t,s0)
/var/lib/bitlbee(/.*)?		gen_context(system_u:object_r:bitlbee_var_t,s0)

[-- Attachment #1.5: bitlbee-network-ports.patch --]
[-- Type: text/x-diff, Size: 1030 bytes --]

Index: policy/modules/kernel/corenetwork.te.in
===================================================================
--- policy/modules/kernel/corenetwork.te.in	(revision 2399)
+++ policy/modules/kernel/corenetwork.te.in	(working copy)
@@ -67,6 +67,7 @@
 network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
 network_port(amavisd_recv, tcp,10024,s0)
 network_port(amavisd_send, tcp,10025,s0)
+network_port(aol, tcp,5190,s0, udp,5190,s0)
 network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
 network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
 network_port(auth, tcp,113,s0)
@@ -112,6 +113,8 @@
 type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
 network_port(lmtp, tcp,24,s0, udp,24,s0)
 network_port(mail, tcp,2000,s0)
+network_port(mmcc, tcp,5050,s0, udp,5050,s0)
+network_port(msnp, tcp,1863,s0, udp,1863,s0)
 network_port(monopd, tcp,1234,s0)
 network_port(mysqld, tcp,3306,s0)
 network_port(nessus, tcp,1241,s0)

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [refpolicy] policy & patch for bitlbee

[Christopher J. PeBenito]

On Sun, 2007-08-26 at 18:45 -0400, Devin Carraway wrote:
> On Sat, Aug 25, 2007 at 06:31:44AM -0400, Daniel J Walsh wrote:
> > So I would remove
> [...]
> > type bitlbee_share_t;
> > files_type(bitlbee_share_t)
> 
> After talking a bit about this on #selinux, I went ahead with your suggestion
> to remove bitlbee_share_t, and allow a usr_t read.  I kept bitlbee_conf_t,
> since it can have an authentication secret in it.
> 
> Here's an updated version.  It adds (and uses) an interface
> bitlbee_read_config() to permit reading bitlbee_conf_t.

Merged, with some reorganization.  Added an interface for tcp wrapper
services.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.